Resumé

AES-Rijndael with ActionScript and ASP.Net

Cristian Merighi () 4.86

An useful example about how to pass encrypted data between a Flash object and a server side application developed with .Net technology using the Rijndael/AES algorithm.
This article is obsolete. Some functionalities might not work anymore. Comments are disabled.

In these days I'm working on an online application which consists in a flash game and a related managed skill contest whose final result is a standing with the ten top scorers.
These ten top scorers will receive a very nice prize as the contest will be over...

One of the most asked, requested, wanted among the features for this application was security! (ok, I know, that's a basis, but in this case more than usual because of the prize money)

The crucial point of weakness in this application is the passing of data between the flash game (client side) and the application logic (server side).
We wanted to avoid that malicious users coould sniff, post, force data so that they could fix the standings.

The answer to this request pointed to data encryption!

We know it is impossible to avoid that a user grabs its own http data, but we want to assure he cannot read it in order to reproduce fake posts.
The .Net Framework is pretty rich in encryption API's (and with the future versions it will be even richer, take a look at what's coming with the next Orcas CTP), but tha ActionScript APIs lack in it...
Thanks to Mika Palmu who has built up a very useful package of ActionScript 2.0 classes focused on cryptography, we can accomplish the mission with relative ease...

Here's a working swf to summarize the workflow:

Here's the core ActionScript used in order to encrypt the input string:

var aesMode:String = "ECB";
var aesKey:String = "01230123012390129012901A"; // equal key server side
var aes:it.pacem.Rijndael = new it.pacem.Rijndael(192, 128);
cipher_txt.text = aes.encrypt(plain_txt.text, aesKey, aesMode);

Here's the core C# used in order to decrypt the cipher text:

MemoryStream msDecrypt = null;
CryptoStream csDecrypt = null;
StreamReader srDecrypt = null;

System.Security.Cryptography.RijndaelManaged aesAlg = null;

string plaintext = null;

try
{
    // Create a RijndaelManaged object
    // with the specified key (IV parameter is obmitted because of ECB CipherMode).
    aesAlg = new System.Security.Cryptography.RijndaelManaged();
    aesAlg.Key = "01230123012390129012901A";
    aesAlg.Mode = CipherMode.ECB;
    // set PaddingMode.Zeros in order to use the same padding mode as in flash actionscript class
    aesAlg.Padding = PaddingMode.Zeros;

    // Create a decrytor to perform the stream transform.
    ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);

    // Create the streams used for decryption.
    msDecrypt = new MemoryStream(cipherText);
    csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read);
    srDecrypt = new StreamReader(csDecrypt);

    // Read the decrypted bytes from the decrypting stream
    // and place them in a string.
    plaintext = srDecrypt.ReadToEnd();
}
finally
{
    // Clean things up.
    // Close the streams.
    if (srDecrypt != null)
        srDecrypt.Close();
    if (csDecrypt != null)
        csDecrypt.Close();
    if (msDecrypt != null)
        msDecrypt.Close();

    // Clear the RijndaelManaged object.
    if (aesAlg != null)
        aesAlg.Clear();
}

For the specifications about the Rijndael/AES Algorithm please refer to the official AES Standard (FIPS PUB 197) and to the System.Security.Cryptography.RijndaelManaged MSDN reference.

pdf file « download AES Standard (FIPS PUB 197) in PDF format
zip file « download code

Take care. Bye.

Feedbacks

  • Re: AES-Rijndael with ActionScript and ASP.Net

    zuppaman Saturday, March 10, 2007 5.00

    Thx for this very nice sample !

  • Re: AES-Rijndael with ActionScript and ASP.Net

    CMerighi Saturday, March 10, 2007 0.00

    You're welcome, Zuppaman. Glad to see that you appreciate it...

  • Re: AES-Rijndael with ActionScript and ASP.Net

    Kees Tuesday, March 13, 2007 0.00

    Great example! thanks

  • Re: AES-Rijndael with ActionScript and ASP.Net

    jake Tuesday, March 04, 2008 4.00

    hi, i am a student from Singapore. i am currently working on a sch project that involves flash lite application which need to use AES encryption. but after looking at your example, i am still pretty much confused. basically i have a AES Key - 16byte, and a string of data. how do i go about doing the encryption? can you advise?

  • Re: AES-Rijndael with ActionScript and ASP.Net

    CMerighi Wednesday, March 05, 2008 0.00

    Hi Jake, I guess the downloadable example is pretty straightforward, you can anyway send your perplexities to my email address: cristian(at)pacem(dot)it. I'll try - I'll be out til next week - to answer as soon as possible.

  • Re: AES-Rijndael with ActionScript and ASP.Net

    xenonii Saturday, March 15, 2008 0.00

    If you put the key in the SWF, it is still unsecure i think, since they can decompile the SWF and read the key. Is there a solution for this?

  • Re: AES-Rijndael with ActionScript and ASP.Net

    CMerighi Saturday, March 15, 2008 0.00

    You're right Xenonii and this is a good question, clientside stuff is always risky. In the specific case mentioned at the beginning of this article, I've been flushing to the client several different swf's binaries, with different embedded keys (using ashx file). Each single user never faced the same swf more than once. That way even an hyper-malicious user couldn't repeat the same request to the server twice, the swf itself wasn't cached in the temporary internet files storage and hence unretrievable. The encryption was only one of the expedients used in that scenario.

  • Re: AES-Rijndael with ActionScript and ASP.Net

    Shiv Sunday, March 16, 2008 0.00

    Ok, So I use this code but when decrypting on the server side, I get junk. I've used the cipher text that your client produces on this page as well as one I've made in Flex Builder 3 using the code you show. Chritian, This is exactly what I'm looking for. An ActionScript and C# example. Thank you! However, I'm not able to get this to work on the C# end. I use the cipher text the client on this page produces. I take that cipher text and use it in the C3 code you've shown. The result of junk. I've build my own client in FlexBuilder 3. The cipher text it produces (using the same key) is different from what your client produces. Attempting to decrypt this cipher text using the C3 code you're provided again results in junk. Note: The C# code you show in this page is not compilable. The Key property is a byte[] so I use Encoding.Utf8.GetBytes() to convery the string key to a byte[]. I do the same for the cipher text (Which also need to be a byte[]. Even though I use the same key you have here. My cipher text is different from the one your client produces.

  • Re: AES-Rijndael with ActionScript and ASP.Net

    CMerighi Monday, March 17, 2008 0.00

    Hi Shiv, did you take a look to the code provided at the bottom of the article? There you'll find the fully working bunch of files used for the example above (C# .ashx + .fla + .as). Of course the extract of C# code printed on the page won't compile: it's just an extract. Take a look at the full code inside the .ashx file. There you'll see I've been using Ascii encoding to translate the cipher text (coming from the flash request) into cipher byte[], then I passed it all to a RijndaelManaged instance. Bye!

  • Re: AES-Rijndael with ActionScript and ASP.Net

    Terry Monday, June 23, 2008 0.00

    Cristian, Thanks for posting this article - it was a big help in a current project. I did run into one strange problem, though, which also appears in your sample code: when calling decryptStringFromBytes_AES()to decrypt the string sent from Flash, the decrypted string contains a bunch of null characters appended to it. The workaround I used is to strip them out in a while loop before storing them in a database.

  • Re: AES-Rijndael with ActionScript and ASP.Net

    Andrzej P. Wednesday, August 13, 2008 5.00

    Great example !

  • Re: AES-Rijndael with ActionScript and ASP.Net

    Selim Tuesday, September 23, 2008 5.00

    I like your script. I want to use it but i have a problem. I convert it to vb.net. It works correctly.But at the .aspx page variable always return with a few white spaces(blanks) at the end. Like this: "test ". So i couldnt equal it some other variable. I try everything i know(RTrim, replace, Cstr). But i couldnt remove those white spaces from code. Any idea??

  • Re: AES-Rijndael with ActionScript and ASP.Net

    CMerighi Wednesday, September 24, 2008 0.00

    Hi Selim, it's an intrinsic issue that relies upon the <a href="http://msdn.microsoft.com/en-us/library/system.security.cryptography.paddingmode.aspx" target="_blank">PaddingMode</a> that's been used. See the post from Terry (few lines above)...

  • Re: AES-Rijndael with ActionScript and ASP.Net

    Rao Monday, October 20, 2008 5.00

    Great example. ThanX

  • Re: AES-Rijndael with ActionScript and ASP.Net

    John Friday, October 31, 2008 5.00

    Thanks for this example, I'm wondering how would I encrypt the data going from aps.net to actionscript.

  • Re: AES-Rijndael with ActionScript and ASP.Net

    John Friday, October 31, 2008 5.00

    Actually I fixed my problem, I wasn't setting the padding or the CipherMode. Caused all sorts of crazy errors.

  • Re: AES-Rijndael with ActionScript and ASP.Net

    Parag Tuesday, November 04, 2008 5.00

    Good example... I had searching on net for a similar code.

  • Re: AES-Rijndael with ActionScript and ASP.Net

    Keith Wednesday, November 19, 2008 4.00

    Hi, I'm trying to encrypt a string in the flash which contains spanish characters such as áéí. When I decrypt it in the aspx, those characters appear as funny characters. I believe this is caused by the fact that Rijndael.as is using ASCII encoding, how can this be changed to use UTF-8 encoding? Thanks!

  • Re: AES-Rijndael with ActionScript and ASP.Net

    matute Tuesday, February 17, 2009 0.00

    'bout the whitespaces issue, try replacing the "\0" with "". str.replace("\0","") it's quite easier (and faster) than using a loop cheers

  • Re: AES-Rijndael with ActionScript and ASP.Net

    Gerry Saturday, February 21, 2009 5.00

    How would you do the reverse, please provide sample code of encypting text on the server and decypt in flash file. Thanks. Get sample just does not cover both senorio's

  • Re: AES-Rijndael with ActionScript and ASP.Net

    Enrique Friday, March 06, 2009 5.00

    Thank You Very Much, it was very useful...

  • Re: AES-Rijndael with ActionScript and ASP.Net

    CuneyQ Wednesday, March 18, 2009 5.00

    it was ver useful, thank you. is there c# codes for encrypt ?!?

  • Re: AES-Rijndael with ActionScript and ASP.Net

    Navagon Monday, March 30, 2009 0.00

    Great work. Regarding the key imbedding, I would use a an asymmetric (public/private) key pair. Embed the public key and keep the private on the server. This will ensure the message can only be decrypted at the server

  • Re: AES-Rijndael with ActionScript and ASP.Net

    Mike Thursday, July 30, 2009 0.00

    Hello, that's a great example thank you. But I have a problem to use this source code with this php classes. The result is just good with only 16 characters. I really don't know why... http://www.phpclasses.org/browse/package/4238.html Someone can help ?

  • Re: AES-Rijndael with ActionScript and ASP.Net

    Alex Kleshchevnikov Tuesday, September 22, 2009 0.00

    Is there an example of encrypt in C# and decrypt in actionscript?

  • Re: AES-Rijndael with ActionScript and ASP.Net

    yil Wednesday, December 09, 2009 0.00

    great topic tanks alot

  • Re: AES-Rijndael with ActionScript and ASP.Net

    Hi all Thursday, December 17, 2009 0.00

    anyone can help me decrypt it on PHP code. thanks.

  • can not encrypt chinese word.

    Malcom Monday, January 18, 2010 5.00

    Hi, If I encrypt a chinese word(two bytes) and decrypt it. I got different result. Can it resolve ? Thanks.

  • Re: AES-Rijndael with ActionScript and ASP.Net

    Josh Friday, July 02, 2010 5.00

    I got this working great... but there are a few issues 1) Every decrypted message has "0\0\0\0\0\0\" on the end 2) It mistakes " for 3) It also incorrectly decrypts \ as \ Any clue on how to fix?

feedback
 

Syndicate

Author

Cristian Merighi facebook twitter google+ youtube

Latest articles

Top rated

Archive

Where am I?

Author

Cristian Merighi facebook twitter google+ youtube

I'm now reading

Feeds